Site icon Sophos News

Closed doors are no match for a Wi‑Fi peeping tom and a smartphone

Wherever people are these days, there are wireless transmissions, be it GPS, AM/FM, or Wi-Fi.
If you’re in a home, at the office, or walking down the street, you’re being bathed in signals, ranging in RF frequency from a few kilohertz to terahertz. Many of the invisible transmissions pass through us, while others bounce off.
It’s the signals that bounce off us that interest researchers, who’ve identified a way to use smartphones to see through walls, analyze reflected, ambient transmissions, and spy on people’s presence and movements in their own homes or offices.
This might sound familiar: MIT researchers also used wireless transmissions three years ago to do the same thing. They created a device that can discern where you are and who you are, detecting gestures and body movements as subtle as the rise and fall of a person’s chest, from the other side of a house, through a wall, even though subjects were invisible to the naked eye.
Earlier systems had drawbacks, however. The MIT system, as well as earlier systems, required knowing the exact position of Wi-Fi transmitters and had to be logged in to the network so they could send known signals back and forth, according to MIT Technology Review.
For example, a system created by University of Utah researchers in 2009 involved a 34-node wireless network. You couldn’t exactly put MIT’s 2015 RF-Capture system into your pocket, either. Other drawbacks: the MIT system’s sensor was fussy. It required a person to be walking directly at it to function and had a tougher time picking up on somebody walking at an angle.


The latest in peeping tom technology is far different: it only requires a smartphone and some clever computation. A team of researchers headed up by Yanzi Zhu, at the University of California Santa Barbara, have demonstrated using a smartphone to successfully track people in 11 real-world locations, with “high accuracy.”
As the researchers describe in their recently published paper, titled Adversarial WiFi Sensing, their technique enables unprecedented invasion of privacy:

We believe that, by leveraging statistical data mining techniques, even a weak adversary armed with only passive off-the-shelf Wi-Fi receivers can perform invasive localization attacks against unsuspecting targets.

They suggest one attack scenario: thieves looking to break in to an office building. Specialized Wi-Fi hardware – devices such as directional antenna, antenna array, and Universal Software Radio Peripheral (USRP) – are not only expensive; they’re bulky and conspicuous.
But commodity Wi-Fi receivers could be used to identify the location of employees or security personnel, enabling the thieves to avoid detection. They could take advantage of near-ubiquitous Wi-Fi transmissions – such as digital assistants or Wi-Fi access points – to passively locate and track moving users.
Unlike earlier systems, the researchers’ smartphone location attacks are entirely passive, relying on Wi-Fi sniffing that doesn’t actively transmit any RF signals.
MIT Technology Review describes the challenges Zhu and his team were up against when it comes to the noisy, smeared world of RF signals that forced them to come up with a computational scheme to enable them to pick out humans and their movements:

If humans were able to see the world as Wi-Fi does, it would seem a bizarre landscape. Doors and walls would be almost transparent, and almost every house and office would be illuminated from within by a bright light bulb – a Wi-Fi transmitter.
But despite the widespread transparency, this world would be hard to make sense of. That’s because walls, doors, furniture, and so on all reflect and bend this light as well as transmitting it. So any image would be impossibly smeared with confusing reflections.
But this needn’t be an issue if all you are interested in is the movement of people. Humans also reflect and distort this Wi-Fi light. The distortion, and the way it moves, would be clearly visible through Wi-Fi eyes, even though the other details would be smeared. This crazy Wi-Fi vision would clearly reveal whether anybody was behind a wall and, if so, whether the person was moving.

Out of this Wi-Fi haze, Zhu and his team had to detect changes in ordinary Wi-Fi signals that would point to the presence of human bodies.
The problem is that Wi-Fi sniffers don’t render images. Zhu and his team instead relied on measuring signal strength as they walked around a building. After all, you can’t figure out where signal-distorting humans are without knowing where the signals are coming from. On their walk, they took brief spatial measurements of the received signal strength (RSS) and where it strengthened and faded out, depending on an app they had built that used the smartphone’s built-in accelerometers to record their movement and to then analyze the change in signal strength as they moved.
Walking back and forth helped them to pretty reliably nail the location of a transmitter, they said:

We found that consistency check across 4 rounds of measurements is sufficient to achieve room level localization of 92.6% accuracy on average.

The researchers tested their technique using Nexus 5 and Nexus 6 Android smartphones to peep into 11 offices and apartments whose owners had agreed to participate in the project. Many of those locations had Wi-Fi devices, and they found that the more there were, the easier it made their job:

We see that with more than 2 Wi-Fi devices in a regular room, our attack can detect more than 99% of the user presence and movement in each room we have tested.

How to draw the Wi-Fi blinds?

The researchers propose three possible defenses: geo-fencing Wi-Fi signals, rate limiting Wi-Fi signals, and signal obfuscation.
Geo-fencing works pretty well to fend off attackers who might go after us with cellphones and algorithms in this manner: it more than doubled localization errors, dropping room-level accuracy from 92.6% to 41.15%. In practice, though, it’s extremely tough to deploy and configure. Rate limiting messes up devices’ operability, particularly Internet of Things (IoT) devices.
That leaves signal obfuscation: adding noise so devices can’t be located accurately. The downsides include that attackers can just use an extra sniffer to suss out the noise and subtract it from the signal traces. Another major drawback is extra consumption of Wi-Fi bandwidth and energy at the access point. Still, it looks to be the best potential defense so far: the researchers hope to refine obfuscation defense in the future to protect against these attacks.
For now, people should be advised that Wi-Fi everywhere might be convenient, but it also threatens our privacy, they said:

While greatly improving our everyday life, [wireless transmissions] also unknowingly reveal information about ourselves and our actions.

Exit mobile version